cojson 0.0.5 → 0.0.7

package/dist/crypto.test.mjs

@@ -0,0 +1,155 @@
+"use strict";
+import {
+  getRecipientID,
+  getSignatoryID,
+  secureHash,
+  newRandomRecipient,
+  newRandomSignatory,
+  seal,
+  sign,
+  openAs,
+  verify,
+  shortHash,
+  newRandomKeySecret,
+  encryptForTransaction,
+  decryptForTransaction,
+  sealKeySecret,
+  unsealKeySecret
+} from "./crypto";
+import { base58, base64url } from "@scure/base";
+import { x25519 } from "@noble/curves/ed25519";
+import { xsalsa20_poly1305 } from "@noble/ciphers/salsa";
+import { blake3 } from "@noble/hashes/blake3";
+import stableStringify from "fast-json-stable-stringify";
+test("Signatures round-trip and use stable stringify", () => {
+  const data = { b: "world", a: "hello" };
+  const signatory = newRandomSignatory();
+  const signature = sign(signatory, data);
+  expect(signature).toMatch(/^signature_z/);
+  expect(
+    verify(signature, { a: "hello", b: "world" }, getSignatoryID(signatory))
+  ).toBe(true);
+});
+test("Invalid signatures don't verify", () => {
+  const data = { b: "world", a: "hello" };
+  const signatory = newRandomSignatory();
+  const signatory2 = newRandomSignatory();
+  const wrongSignature = sign(signatory2, data);
+  expect(verify(wrongSignature, data, getSignatoryID(signatory))).toBe(false);
+});
+test("Sealing round-trips, but invalid receiver can't unseal", () => {
+  const data = { b: "world", a: "hello" };
+  const sender = newRandomRecipient();
+  const recipient1 = newRandomRecipient();
+  const recipient2 = newRandomRecipient();
+  const recipient3 = newRandomRecipient();
+  const nOnceMaterial = {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 0 }
+  };
+  const sealed = seal(
+    data,
+    sender,
+    /* @__PURE__ */ new Set([getRecipientID(recipient1), getRecipientID(recipient2)]),
+    nOnceMaterial
+  );
+  expect(sealed[getRecipientID(recipient1)]).toMatch(/^sealed_U/);
+  expect(sealed[getRecipientID(recipient2)]).toMatch(/^sealed_U/);
+  expect(
+    openAs(sealed, recipient1, getRecipientID(sender), nOnceMaterial)
+  ).toEqual(data);
+  expect(
+    openAs(sealed, recipient2, getRecipientID(sender), nOnceMaterial)
+  ).toEqual(data);
+  expect(
+    openAs(sealed, recipient3, getRecipientID(sender), nOnceMaterial)
+  ).toBeUndefined();
+  const nOnce = blake3(
+    new TextEncoder().encode(stableStringify(nOnceMaterial))
+  ).slice(0, 24);
+  const recipient3priv = base58.decode(
+    recipient3.substring("recipientSecret_z".length)
+  );
+  const senderPub = base58.decode(
+    getRecipientID(sender).substring("recipient_z".length)
+  );
+  const sealedBytes = base64url.decode(
+    sealed[getRecipientID(recipient1)].substring("sealed_U".length)
+  );
+  const sharedSecret = x25519.getSharedSecret(recipient3priv, senderPub);
+  expect(() => {
+    const _ = xsalsa20_poly1305(sharedSecret, nOnce).decrypt(sealedBytes);
+  }).toThrow("Wrong tag");
+});
+test("Hashing is deterministic", () => {
+  expect(secureHash({ b: "world", a: "hello" })).toEqual(
+    secureHash({ a: "hello", b: "world" })
+  );
+  expect(shortHash({ b: "world", a: "hello" })).toEqual(
+    shortHash({ a: "hello", b: "world" })
+  );
+});
+test("Encryption for transactions round-trips", () => {
+  const { secret } = newRandomKeySecret();
+  const encrypted1 = encryptForTransaction({ a: "hello" }, secret, {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 0 }
+  });
+  const encrypted2 = encryptForTransaction({ b: "world" }, secret, {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 1 }
+  });
+  const decrypted1 = decryptForTransaction(encrypted1, secret, {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 0 }
+  });
+  const decrypted2 = decryptForTransaction(encrypted2, secret, {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 1 }
+  });
+  expect([decrypted1, decrypted2]).toEqual([{ a: "hello" }, { b: "world" }]);
+});
+test("Encryption for transactions doesn't decrypt with a wrong key", () => {
+  const { secret } = newRandomKeySecret();
+  const { secret: secret2 } = newRandomKeySecret();
+  const encrypted1 = encryptForTransaction({ a: "hello" }, secret, {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 0 }
+  });
+  const encrypted2 = encryptForTransaction({ b: "world" }, secret, {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 1 }
+  });
+  const decrypted1 = decryptForTransaction(encrypted1, secret2, {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 0 }
+  });
+  const decrypted2 = decryptForTransaction(encrypted2, secret2, {
+    in: "co_zTEST",
+    tx: { sessionID: "co_agent_zTEST_session_zTEST", txIndex: 1 }
+  });
+  expect([decrypted1, decrypted2]).toEqual([void 0, void 0]);
+});
+test("Encryption of keySecrets round-trips", () => {
+  const toSeal = newRandomKeySecret();
+  const sealing = newRandomKeySecret();
+  const keys = {
+    toSeal,
+    sealing
+  };
+  const sealed = sealKeySecret(keys);
+  const unsealed = unsealKeySecret(sealed, sealing.secret);
+  expect(unsealed).toEqual(toSeal.secret);
+});
+test("Encryption of keySecrets doesn't unseal with a wrong key", () => {
+  const toSeal = newRandomKeySecret();
+  const sealing = newRandomKeySecret();
+  const sealingWrong = newRandomKeySecret();
+  const keys = {
+    toSeal,
+    sealing
+  };
+  const sealed = sealKeySecret(keys);
+  const unsealed = unsealKeySecret(sealed, sealingWrong.secret);
+  expect(unsealed).toBeUndefined();
+});

package/dist/ids.mjs

@@ -0,0 +1 @@
+"use strict";

package/dist/index.mjs

@@ -0,0 +1,21 @@
+"use strict";
+import {
+  CoValue,
+  agentCredentialFromBytes,
+  agentCredentialToBytes,
+  getAgent,
+  getAgentID,
+  newRandomAgentCredential,
+  newRandomSessionID
+} from "./coValue";
+import { LocalNode } from "./node";
+import { CoMap } from "./contentTypes/coMap";
+const internals = {
+  agentCredentialToBytes,
+  agentCredentialFromBytes,
+  getAgent,
+  getAgentID,
+  newRandomAgentCredential,
+  newRandomSessionID
+};
+export { LocalNode, CoValue, CoMap, internals };

package/dist/jsonValue.mjs

@@ -0,0 +1 @@
+"use strict";

package/dist/node.mjs

@@ -0,0 +1,144 @@
+"use strict";
+import { createdNowUnique, newRandomKeySecret, seal } from "./crypto";
+import {
+  CoValue,
+  getAgent,
+  getAgentID,
+  getAgentCoValueHeader,
+  newRandomAgentCredential
+} from "./coValue";
+import { Team, expectTeamContent } from "./permissions";
+import { SyncManager } from "./sync";
+export class LocalNode {
+  coValues = {};
+  agentCredential;
+  agentID;
+  ownSessionID;
+  sync = new SyncManager(this);
+  constructor(agentCredential, ownSessionID) {
+    this.agentCredential = agentCredential;
+    const agent = getAgent(agentCredential);
+    const agentID = getAgentID(agent);
+    this.agentID = agentID;
+    this.ownSessionID = ownSessionID;
+    const agentCoValue = new CoValue(getAgentCoValueHeader(agent), this);
+    this.coValues[agentCoValue.id] = {
+      state: "loaded",
+      coValue: agentCoValue
+    };
+  }
+  createCoValue(header) {
+    const coValue = new CoValue(header, this);
+    this.coValues[coValue.id] = { state: "loaded", coValue };
+    void this.sync.syncCoValue(coValue);
+    return coValue;
+  }
+  loadCoValue(id) {
+    let entry = this.coValues[id];
+    if (!entry) {
+      entry = newLoadingState();
+      this.coValues[id] = entry;
+      this.sync.loadFromPeers(id);
+    }
+    if (entry.state === "loaded") {
+      return Promise.resolve(entry.coValue);
+    }
+    return entry.done;
+  }
+  async load(id) {
+    return (await this.loadCoValue(id)).getCurrentContent();
+  }
+  expectCoValueLoaded(id, expectation) {
+    const entry = this.coValues[id];
+    if (!entry) {
+      throw new Error(
+        `${expectation ? expectation + ": " : ""}Unknown CoValue ${id}`
+      );
+    }
+    if (entry.state === "loading") {
+      throw new Error(
+        `${expectation ? expectation + ": " : ""}CoValue ${id} not yet loaded`
+      );
+    }
+    return entry.coValue;
+  }
+  createAgent(publicNickname) {
+    const agentCredential = newRandomAgentCredential(publicNickname);
+    this.createCoValue(getAgentCoValueHeader(getAgent(agentCredential)));
+    return agentCredential;
+  }
+  expectAgentLoaded(id, expectation) {
+    var _a;
+    const coValue = this.expectCoValueLoaded(
+      id,
+      expectation
+    );
+    if (coValue.header.type !== "comap" || coValue.header.ruleset.type !== "agent") {
+      throw new Error(
+        `${expectation ? expectation + ": " : ""}CoValue ${id} is not an agent`
+      );
+    }
+    return {
+      recipientID: coValue.header.ruleset.initialRecipientID,
+      signatoryID: coValue.header.ruleset.initialSignatoryID,
+      publicNickname: (_a = coValue.header.publicNickname) == null ? void 0 : _a.replace("agent-", "")
+    };
+  }
+  createTeam() {
+    const teamCoValue = this.createCoValue({
+      type: "comap",
+      ruleset: { type: "team", initialAdmin: this.agentID },
+      meta: null,
+      ...createdNowUnique(),
+      publicNickname: "team"
+    });
+    let teamContent = expectTeamContent(teamCoValue.getCurrentContent());
+    teamContent = teamContent.edit((editable) => {
+      editable.set(this.agentID, "admin", "trusting");
+      const readKey = newRandomKeySecret();
+      const revelation = seal(
+        readKey.secret,
+        this.agentCredential.recipientSecret,
+        /* @__PURE__ */ new Set([getAgent(this.agentCredential).recipientID]),
+        {
+          in: teamCoValue.id,
+          tx: teamCoValue.nextTransactionID()
+        }
+      );
+      editable.set(
+        "readKey",
+        { keyID: readKey.id, revelation },
+        "trusting"
+      );
+    });
+    return new Team(teamContent, this);
+  }
+  testWithDifferentCredentials(agentCredential, ownSessionID) {
+    const newNode = new LocalNode(agentCredential, ownSessionID);
+    newNode.coValues = Object.fromEntries(
+      Object.entries(this.coValues).map(([id, entry]) => {
+        if (entry.state === "loading") {
+          return void 0;
+        }
+        const newCoValue = new CoValue(
+          entry.coValue.header,
+          newNode
+        );
+        newCoValue.sessions = entry.coValue.sessions;
+        return [id, { state: "loaded", coValue: newCoValue }];
+      }).filter((x) => !!x)
+    );
+    return newNode;
+  }
+}
+export function newLoadingState() {
+  let resolve;
+  const promise = new Promise((r) => {
+    resolve = r;
+  });
+  return {
+    state: "loading",
+    done: promise,
+    resolve
+  };
+}

package/dist/permissions.mjs

@@ -0,0 +1,244 @@
+"use strict";
+import {
+  createdNowUnique,
+  newRandomKeySecret,
+  seal,
+  sealKeySecret
+} from "./crypto";
+import {
+  agentIDfromSessionID
+} from "./coValue";
+export function determineValidTransactions(coValue) {
+  if (coValue.header.ruleset.type === "team") {
+    const allTrustingTransactionsSorted = Object.entries(
+      coValue.sessions
+    ).flatMap(([sessionID, sessionLog]) => {
+      return sessionLog.transactions.map((tx, txIndex) => ({ sessionID, txIndex, tx })).filter(({ tx }) => {
+        if (tx.privacy === "trusting") {
+          return true;
+        } else {
+          console.warn("Unexpected private transaction in Team");
+          return false;
+        }
+      });
+    });
+    allTrustingTransactionsSorted.sort((a, b) => {
+      return a.tx.madeAt - b.tx.madeAt;
+    });
+    const initialAdmin = coValue.header.ruleset.initialAdmin;
+    if (!initialAdmin) {
+      throw new Error("Team must have initialAdmin");
+    }
+    const memberState = {};
+    const validTransactions = [];
+    for (const {
+      sessionID,
+      txIndex,
+      tx
+    } of allTrustingTransactionsSorted) {
+      const transactor = agentIDfromSessionID(sessionID);
+      const change = tx.changes[0];
+      if (tx.changes.length !== 1) {
+        console.warn("Team transaction must have exactly one change");
+        continue;
+      }
+      if (change.op !== "insert") {
+        console.warn("Team transaction must set a role or readKey");
+        continue;
+      }
+      if (change.key === "readKey") {
+        if (memberState[transactor] !== "admin") {
+          console.warn("Only admins can set readKeys");
+          continue;
+        }
+        validTransactions.push({ txID: { sessionID, txIndex }, tx });
+        continue;
+      }
+      const affectedMember = change.key;
+      const assignedRole = change.value;
+      if (change.value !== "admin" && change.value !== "writer" && change.value !== "reader" && change.value !== "revoked") {
+        console.warn("Team transaction must set a valid role");
+        continue;
+      }
+      const isFirstSelfAppointment = !memberState[transactor] && transactor === initialAdmin && change.op === "insert" && change.key === transactor && change.value === "admin";
+      if (!isFirstSelfAppointment) {
+        if (memberState[transactor] !== "admin") {
+          console.warn(
+            "Team transaction must be made by current admin"
+          );
+          continue;
+        }
+        if (memberState[affectedMember] === "admin" && affectedMember !== transactor && assignedRole !== "admin") {
+          console.warn("Admins can only demote themselves.");
+          continue;
+        }
+      }
+      memberState[affectedMember] = change.value;
+      validTransactions.push({ txID: { sessionID, txIndex }, tx });
+    }
+    return validTransactions;
+  } else if (coValue.header.ruleset.type === "ownedByTeam") {
+    const teamContent = coValue.node.expectCoValueLoaded(
+      coValue.header.ruleset.team,
+      "Determining valid transaction in owned object but its team wasn't loaded"
+    ).getCurrentContent();
+    if (teamContent.type !== "comap") {
+      throw new Error("Team must be a map");
+    }
+    return Object.entries(coValue.sessions).flatMap(
+      ([sessionID, sessionLog]) => {
+        const transactor = agentIDfromSessionID(sessionID);
+        return sessionLog.transactions.filter((tx) => {
+          const transactorRoleAtTxTime = teamContent.getAtTime(
+            transactor,
+            tx.madeAt
+          );
+          return transactorRoleAtTxTime === "admin" || transactorRoleAtTxTime === "writer";
+        }).map((tx, txIndex) => ({
+          txID: { sessionID, txIndex },
+          tx
+        }));
+      }
+    );
+  } else if (coValue.header.ruleset.type === "unsafeAllowAll") {
+    return Object.entries(coValue.sessions).flatMap(
+      ([sessionID, sessionLog]) => {
+        return sessionLog.transactions.map((tx, txIndex) => ({
+          txID: { sessionID, txIndex },
+          tx
+        }));
+      }
+    );
+  } else if (coValue.header.ruleset.type === "agent") {
+    return [];
+  } else {
+    throw new Error("Unknown ruleset type " + coValue.header.ruleset.type);
+  }
+}
+export function expectTeamContent(content) {
+  if (content.type !== "comap") {
+    throw new Error("Expected map");
+  }
+  return content;
+}
+export class Team {
+  teamMap;
+  node;
+  constructor(teamMap, node) {
+    this.teamMap = teamMap;
+    this.node = node;
+  }
+  get id() {
+    return this.teamMap.id;
+  }
+  addMember(agentID, role) {
+    this.teamMap = this.teamMap.edit((map) => {
+      const agent = this.node.expectAgentLoaded(agentID, "Expected to know agent to add them to team");
+      if (!agent) {
+        throw new Error("Unknown agent " + agentID);
+      }
+      map.set(agentID, role, "trusting");
+      if (map.get(agentID) !== role) {
+        throw new Error("Failed to set role");
+      }
+      const currentReadKey = this.teamMap.coValue.getCurrentReadKey();
+      if (!currentReadKey.secret) {
+        throw new Error("Can't add member without read key secret");
+      }
+      const revelation = seal(
+        currentReadKey.secret,
+        this.teamMap.coValue.node.agentCredential.recipientSecret,
+        /* @__PURE__ */ new Set([agent.recipientID]),
+        {
+          in: this.teamMap.coValue.id,
+          tx: this.teamMap.coValue.nextTransactionID()
+        }
+      );
+      map.set(
+        "readKey",
+        { keyID: currentReadKey.id, revelation },
+        "trusting"
+      );
+    });
+  }
+  rotateReadKey() {
+    const currentlyPermittedReaders = this.teamMap.keys().filter((key) => {
+      if (key.startsWith("co_agent")) {
+        const role = this.teamMap.get(key);
+        return role === "admin" || role === "writer" || role === "reader";
+      } else {
+        return false;
+      }
+    });
+    const maybeCurrentReadKey = this.teamMap.coValue.getCurrentReadKey();
+    if (!maybeCurrentReadKey.secret) {
+      throw new Error("Can't rotate read key secret we don't have access to");
+    }
+    const currentReadKey = {
+      id: maybeCurrentReadKey.id,
+      secret: maybeCurrentReadKey.secret
+    };
+    const newReadKey = newRandomKeySecret();
+    const newReadKeyRevelation = seal(
+      newReadKey.secret,
+      this.teamMap.coValue.node.agentCredential.recipientSecret,
+      new Set(
+        currentlyPermittedReaders.map(
+          (reader) => {
+            const readerAgent = this.node.expectAgentLoaded(reader, "Expected to know currently permitted reader");
+            if (!readerAgent) {
+              throw new Error("Unknown agent " + reader);
+            }
+            return readerAgent.recipientID;
+          }
+        )
+      ),
+      {
+        in: this.teamMap.coValue.id,
+        tx: this.teamMap.coValue.nextTransactionID()
+      }
+    );
+    this.teamMap = this.teamMap.edit((map) => {
+      map.set(
+        "readKey",
+        {
+          keyID: newReadKey.id,
+          revelation: newReadKeyRevelation,
+          previousKeys: {
+            [currentReadKey.id]: sealKeySecret({
+              sealing: newReadKey,
+              toSeal: currentReadKey
+            }).encrypted
+          }
+        },
+        "trusting"
+      );
+    });
+  }
+  removeMember(agentID) {
+    this.teamMap = this.teamMap.edit((map) => {
+      map.set(agentID, "revoked", "trusting");
+    });
+    this.rotateReadKey();
+  }
+  createMap(meta) {
+    return this.node.createCoValue({
+      type: "comap",
+      ruleset: {
+        type: "ownedByTeam",
+        team: this.teamMap.id
+      },
+      meta: meta || null,
+      ...createdNowUnique(),
+      publicNickname: "map"
+    }).getCurrentContent();
+  }
+  testWithDifferentCredentials(credential, sessionId) {
+    return new Team(
+      expectTeamContent(
+        this.teamMap.coValue.testWithDifferentCredentials(credential, sessionId).getCurrentContent()
+      ),
+      this.node
+    );
+  }
+}